{"id":1806,"date":"2024-08-19T16:23:33","date_gmt":"2024-08-19T16:23:33","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1806"},"modified":"2024-09-05T00:45:21","modified_gmt":"2024-09-05T00:45:21","slug":"sa-4-acquisition-process","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/system-and-services-acquisition-sa\/sa-4-acquisition-process\/","title":{"rendered":"SA-4: Acquisition Process"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">SA-4: Acquisition Process<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: <\/strong>Low&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Privacy Baseline: &nbsp;<\/strong>Yes&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> &nbsp;07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>TAMUS Required By: &nbsp;<\/strong>08\/01\/2022&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: \u00a0<\/strong>08\/08\/2024\u00a0<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>Information resource owners or their designees, in conjunction with Texas A&amp;M University System (TAMUS) and\/or Tarleton State University (Tarleton) Procurements and Contracting personnel, must include information security requirements in all information resource acquisition contracts based on an assessment of risk and in accordance with applicable laws including Texas Administrative Code (TAC) <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=77\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.77<\/a> and TAMUS Policies and Regulations including <a href=\"http:\/\/policies.tamus.edu\/25-07.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Policy 25.07, Contract Administration<\/a>; <a href=\"http:\/\/policies.tamus.edu\/25-07-01.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 25.07.01, Contract Administration, Delegations and Reporting<\/a>; and <a href=\"http:\/\/policies.tamus.edu\/25-07-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 25.07.03, Acquisition of Goods and\/or Services<\/a>. Such contract language, explicitly or by reference, within the TAMUS\/Tarleton standardized contract language should include:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Security and privacy functional requirements;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Strength of mechanism requirements;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Security and privacy assurance requirements;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Controls needed to satisfy the security and privacy requirements.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Security and privacy documentation requirements;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Requirements for protecting security and privacy documentation;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Description of the system development environment and environment in which the system is intended to operate;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and&nbsp;&nbsp;<\/li>\n\n\n\n<li>Acceptance criteria.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Information resource owners, or their designees, should ensure that appropriate documentation is provided by the vendor periodically to Tarleton showing evidence that the vendor meets the security controls required under the contract, at least during initial procurement, when any major changes occur to the service\/software provided, and during contract renewals.&nbsp;&nbsp;<\/li>\n\n\n\n<li>The Tarleton Chief Information Security Officer (CISO), in coordination with applicable TAMUS and\/or Tarleton Procurements and Contracting personnel, shall:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Review and approve the security requirements in acquisition contracts of any new information system that processes and\/or stores sensitive or high-impact information prior to the member procuring the system or service, and&nbsp;<\/li>\n\n\n\n<li>Ensure acquisition contracts for information systems, system components, or information system services address information security, backup, and privacy requirements.&nbsp;\n<ul class=\"wp-block-list\">\n<li>Such contracts should include right-to-audit and other provisions to provide appropriate assurance that applications and information are adequately protected.&nbsp;<\/li>\n\n\n\n<li>Vendors and third parties adhere to all federal, state, TAMUS, and Tarleton policies pertaining to the protection of information resources and privacy of sensitive information.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=77\" target=\"_blank\" rel=\"noreferrer noopener\">TAC \u00a7202.77<\/a> requires compliance with the Texas Risk and Authorization Management Program (TX-RAMP) for new and renewed contracts for cloud computing services.&nbsp; See the <a href=\"https:\/\/dir.texas.gov\/information-security\/tx-ramp-eligibility-and-requirements\" target=\"_blank\" rel=\"noreferrer noopener\">Texas Department of Information Resources guidance<\/a> for additional information.&nbsp;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">PRIVACT<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">OMB A-130<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">ISO 15408-1<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">ISO 15408-2<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">ISO 15408-3<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.iso.org\/standard\/72089.html\" target=\"_blank\" rel=\"noreferrer noopener\">ISO 29148<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3\" target=\"_blank\" rel=\"noreferrer noopener\">FIPS 140-3<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2\" target=\"_blank\" rel=\"noreferrer noopener\">FIPS 201-2<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-35\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-35<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-37<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-70<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-73-4<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-137\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-137<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-160-1<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-161\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-161<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.7539\" target=\"_blank\" rel=\"noreferrer noopener\">IR 7539<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.7622\" target=\"_blank\" rel=\"noreferrer noopener\">IR 7622<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.7676\" target=\"_blank\" rel=\"noreferrer noopener\">IR 7676<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.7870\" target=\"_blank\" rel=\"noreferrer noopener\">IR 7870<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.8062\" target=\"_blank\" rel=\"noreferrer noopener\">IR 8062<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.niap-ccevs.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">NIAP CCEVS<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.nsa.gov\/resources\/everyone\/csfc\" target=\"_blank\" rel=\"noreferrer noopener\">NSA CSFC<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#2054.138\" target=\"_blank\" rel=\"noreferrer noopener\">Tex. Govt. Code Sec. 2054.138<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=27\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC 202.27<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=77\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC 202.77<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"http:\/\/policies.tamus.edu\/25-07.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">TAMUS Policy 25.07<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"http:\/\/policies.tamus.edu\/25-07-01.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">TAMUS Regulation 25.07.01<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"http:\/\/policies.tamus.edu\/25-07-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">TAMUS Regulation 25.07.03<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SA-4: Acquisition Process NIST Baseline: Low&nbsp; Privacy Baseline: &nbsp;Yes&nbsp; DIR Required By: &nbsp;07\/20\/2023&nbsp; TAMUS Required By: &nbsp;08\/01\/2022&nbsp; Review Date: \u00a008\/08\/2024\u00a0 References\/Additional Resources PRIVACT&nbsp; OMB A-130&nbsp; ISO 15408-1&nbsp; ISO 15408-2&nbsp; ISO &#8230;<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1975,"menu_order":4,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1806","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on August 19, 2024","modified":"Updated on September 5, 2024"},"absolute_dates_time":{"created":"Posted on August 19, 2024 4:23 pm","modified":"Updated on September 5, 2024 12:45 am"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1806"}],"version-history":[{"count":0,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1806\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1975"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}